Actions
Actions define what operations a subject can perform on the target objects. The actions field is required and accepts a list of action strings.
Available Actions
| Action | Description |
|---|---|
read | Allows reading/viewing resources |
write | Allows creating or modifying resources |
delete | Allows deleting resources |
playbook:run | Allows running playbooks |
playbook:approve | Allows approving playbook runs that require approval |
playbook:cancel | Allows canceling playbook runs |
Wildcards
You can use wildcards to grant multiple permissions at once:
| Wildcard | Description |
|---|---|
playbook:* | Grants all playbook-related permissions (run, approve, cancel) |
* | Grants all permissions (use with caution) |
Examples
Read-Only Access
read-only-permission.yamlapiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: viewer-access
spec:
description: Read-only access to configs
subject:
team: viewers
actions:
- read
object:
configs:
- name: "*"
Full Playbook Access
playbook-full-access.yamlapiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: playbook-admin
spec:
description: Full playbook management access
subject:
team: platform-team
actions:
- playbook:*
object:
playbooks:
- name: "*"
Multiple Actions
multiple-actions.yamlapiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: editor-access
spec:
description: Read and write access to configs
subject:
person: editor@example.com
actions:
- read
- write
object:
configs:
- namespace: production
Playbook Run and Approve
run-approve-permission.yamlapiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: playbook-operator
spec:
description: Allow running and approving playbooks
subject:
team: operators
actions:
- playbook:run
- playbook:approve
object:
playbooks:
- labels:
category: maintenance
Admin Access (All Permissions)
admin-permission.yamlapiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: admin-all-access
spec:
description: Full admin access (use sparingly)
subject:
team: admins
actions:
- "*"
warning
Using * (all permissions) should be limited to administrative roles. Always prefer granting the minimum necessary permissions.